Securing Images in the Cloud

By: Neil Buckley, VP Technical Solutions, CynergisTek Inc.

November 30, 2012

Take a moment to reflect on the decades of digital imaging development that have produced “public embarrassment 2.0” in the public sector. Digital imaging has showcased people with all the colors of the emotional rainbow and unparalleled stupidity — but also has been an amazing media to improve lives the world over. Now, take a moment to consider the images of our family, friends and indiscretions, live on a global stage, and then imagine what it would be like if the images that your doctor views were to reside on that same global stage.

As you do so, ask yourself how securely Facebook, YouTube, Pintrest, Photobucket, Flickr or Shutterfly are designed to protect the images your doctor uses to diagnose your condition from public view. Also imagine that you have been in an accident and the Emergency Department doctor needs to see your images before he performs surgery. Can Amazon, Rackspace or Google provide the infrastructure to support the confidentiality, integrity and availability required of business-critical image storage?

Of course, you might be thinking at this point, it’s just a picture, right? So, let’s examine that for a moment. The digital image rendered by the camera on your phone can range in size from very small to very large. The larger the photo, the steeper the cost to process and transfer the image. Anyone with a teenager and a shared data plan knows the value of teaching them to send small pictures. Businesses everywhere are running into this challenge, and where there are challenges, there are opportunities. Those opportunities are gaining traction in lowering the TCO of image lifecycle management.

Imaging has been in place at hospitals for decades. Traditionally this technology was a bulky piece of specialty imaging equipment that supported input to the process of a clinical diagnosis. This technology was supported by the development of the Digital Imaging and Communication (DICOM) protocol in the mid-‘80s, which served as a universal standard for image sharing in the clinical setting. When coupled with the HL7 transport protocol, this process became a catalystfor change in the clinical decision-making process. It became possible to support image review remotely. Like most things designed in the ‘80s and reengineered in the ‘90s, it was a specification meant to solve a problem and facilitate a better transaction. Confidentially, integrity and availability were afterthoughts on this solution. Later specifications of the protocol bolted on security to the solution without the same unilateral success as the earliest specifications.

Today, in 2012, our imaging technology has come a long way, but the images are no more secure or private than they were when we started decades ago. Clinicians want the most detailed imagery they can get when making a diagnosis. If we think about sending these large images, we quickly see the magnitude and complexity of the healthcare clinician’s use; these images are only dwarfed by the CGI industry.

As healthcare providers look to reduce their expenses, they will look to outsource image storage and delivery to cloud service providers. That outsourcing process can put patient data at risk. The obligation to keep the data safe, secure and private remains in effect, regardless of the competing demands to lower costs and improve care security, and privacy cannot be sacrificed.

There is no such animal as free-IT; all services, infrastructure and business processes come with costs. They also come with risk. Businesses and consumers utilizing digital imagery need to be aware of these risks. Those risks might seem obvious, but let’s examine the most common and relevant ones for the purposes of this article.

Unauthorized access and disclosure of personal information. Typically at the top of most healthcare IT initiatives, not the clinical initiatives. Migrating private services to a public cloud infrastructure will place the data on those cloud infrastructures at greater risk than data supported, administered and delivered internally. In addition, organizations will need to open their infrastructure to those cloud services to ensure that the clinical workflow is not impacted adversely by the transition to the new service offering.

Ensuring the integrity of the data and service. Healthcare typically equates integrity and privacy with encryption. Traditionally, encryption has come in two distinct flavors, data encryption and transport encryption. For reasons I would attribute to poorly written legislation and regulatory guidance, data encryption has become device encryption, and the impact is still being felt on the internal infrastructures of most healthcare organizations across the country.

Managing an encryption model that adequately protects the data while facilitating the demand of the clinical workflow will be challenging for most information security programs. In translation, the security provided by the cloud providers will be accepted and remain untested to satisfy the demands of the clinical data, and the images will be at risk.

Availability of clinical data is a risk to the business for a whole host of reasons, but for the purposes of this discussion we’ll focus on patient safety. Cloud services utilize the Internet and shared infrastructure to keep the costs of their services lower than what your practice could theoretically reproduce them for internally, though I think we’re too soon to tell whether the ROI on the cloud services industry has been properly calculated. The risk to organizations is that the Internet or Amazon EC2 is down (well, it did happen). This will translate into potential patient safety issues. If you can’t process the image, it will be tough to render a clinical decision.

Of course I’ve used an example that will undoubtedly raise some eyebrows as to why folks would even consider this service as a cloud candidate. Consider for a moment; healthcare- clinical data is regulated and must be retained for a period of no less than 7 years

Now ask yourself if this is core business to healthcare? It’s not, taking care of sick people is. To accomplish the improvements demanded by the people, healthcare will need to be able to take advantage of these cost savings.

Well, damn the torpedoes, we’re going to do it, we’re out of options, our budgets have been flat since 2008, patient census is down, referrals are down, and we need to reduce costs so we can ensure the continuity of the mission to take care of sick people!

Take heed. Prepare the battlefield you’ll be fighting on. Shape it as much as you can to ensure victory (if that’s even possible). Ensure that you understand the risks and exposures of the cloud architecture options in painstakingly technical detail. Ensure that you understand the use of images to support the business of healthcare. Ensure that you have the support of the clinical community. Most IT practitioners in healthcare spend very little time in the point-of-care areas, and this can be disastrous when migrating an internal workflow to an external workflow. Embrace the SLA, be the SLA, and please use a seasoned contract professional to ensure that the provider is contractually obligated to deliver on your needs and requirements.

So, what should you do first?

Businesses should invest in the proper training and support staff to assist you in transitioning from an internal infrastructure to a cloud-based infrastructure. This means that you’ll need to accept that you’ll need to cultivate, hire or partner with the right talent. Given my experience on the inside of a large healthcare IT shop for a decade, I would advocate for hiring or partnering to deliver the right solution to your community.

Get educated and keep your eye on the next-generation horizon. The next-generation cloud service products that look to support an SLA model that embrace confidentiality, integrity and availability as part of the base feature sets, not a bolt-on, not an afterthought in response to pending legislation. CIA is actually considered part of the base specification and as history has taught us, when features are considered part of the base specification, and implemented smartly, our lives just become easier.

Consumers should just be cautious and smarter about the images they post. There is no privacy or security in the cloud or on the Internet. If you wouldn’t shout it in a quiet public setting like yoga, church or a high-end restaurant or perform it in the middle of the park on the busiest day of the year, don’t post it. It’s that simple.

Keeping Mobile Health Data Secure

Making the Most of Encryption, Other Precautions

By Marianne Kolbasuk McGee, October 8, 2012.

Breaches involving lost or stolen unencrypted mobile devices, especially laptops, continue to grab headlines. Of the 498 major breaches tracked by federal officials since September 2009, about 54 percent have involved lost or stolen unencrypted computers or storage media (see: Stolen Devices a Persistent Problem.)

Given all the publicity about these breaches – and the fact that the loss or theft of an encrypted device doesn’t have to be reported as a breach – why isn’t the encryption of mobile devices more widespread?

For starters, identifying and wrangling all corporate and personally owned mobile devices used in a healthcare setting that are candidates for encryption isn’t simple.

And then there’s the challenge of addressing misperceptions about encryption. That includes concerns about high costs (the price has come down substantially in recent years), difficult implementation (sometimes it’s as easy as turning on a factory-installed setting), and adverse impact on device performance (which some experts say is no longer a major issue).

“I’ve found that there is much misinformation and misunderstanding about encryption throughout the populations of doctors, nurses and other healthcare providers,” says security consultant Rebecca Herold, who heads Rebecca Herold & Associates.

Some provider organizations, including Beth Israel Deaconess Medical Center in Boston, have determined that to energize efforts to encrypt mobile devices, they must launch a high-profile campaign. And a growing number of providers, including Henry Ford Health System and the Department of Veterans Affairs, are turning to mobile device management systems to help prevent breaches involving mobile devices.

In addition, minimizing the data that gets stored on mobile devices also can help prevent breaches.

Encryption Strategy

When it comes to new devices that come equipped with encryption capabilities, making sure those settings are turned on before allowing network access should be made a matter of policy, Herold says.

“Current encryption solutions exist for mobile computers, such as laptops, and for storage devices, like USB drives, that are transparent to the user, don’t noticeably impact response time and are very easy to use, in addition to being comparatively inexpensive,” Herold says.

Encryption costs are small when compared with the cost of a breach, which “could ultimately cost an organization over $1 million” just for federal penalties for HIPAA non-compliance, she notes.

Putting encryption into practice soon will become easier, thanks to a rule for Stage 2 of the HITECH Act electronic health record incentive program, says Mac McMillan, CEO of CynergisTek, a data security and privacy services firm. The software certification rule requires that EHR software be designed to encrypt, by default, electronic health information stored on end-user devices.

“This forces encryption; you’d have to consciously turn it off,” McMillan says.

A High-Profile Effort

For many healthcare organizations, especially larger ones, identifying devices that lack encryption and then making sure they’re actually encrypted is proving to be a tall order. To help with the effort, Beth Israel Deaconess Medical Center is taking extraordinary steps to call attention to its encryption effort.

After an unencrypted laptop was stolen this spring from a physician office at Beth Israel Deaconess Medical Center in Boston, the organization put into place a mandatory encryption program for institutionally owned and personally owned mobile devices (see: Laptop Theft Spurs Encryption Ramp Up). In recent months, the medical center has set up several encryption depots on its Boston campus so that employees can bring their mobile devices in to ensure the gear is encrypted and up-to-date with anti-viral software and patches.

The medical center expects to complete encryption of all institution-owned mobile devices used to access patient information by the middle of this month, says John Halamka, CIO.

“In the next few weeks, we will be sending out a list of institutionally owned devices that have been encrypted to each manager and asking the manager to attest these are the only institutionally owned mobile devices in use within their area of responsibility,” he says.

For personally owned mobile devices being used for medical center business, Beth Israel Deaconess will provide advice and assistance on initial encryption, Halamka says. “For the most part, the encryption solution of choice will be whatever is native to the device’s operation system, for example Filevault or Bitlocker. If nothing native is available, we’ll suggest Truecrypt, an open source product,” he says. “We will require attestation of mobile device encryption when passwords are renewed.”

Mobile Device Management

Besides encryption, some organizations are also turning to mobile device management systems to help prevent breaches involving portable devices.

For the last year, Henry Ford Health System, which operates five hospitals, a medical group and health plan in Michigan, has been using a mobile device management system from AirWatch. The MDM requires all mobile devices that access the organization’s e-mail systems to have a screen lock with password protection that is triggered after a few minutes of inactivity, says Michael Starosciak, manager of client technical services.

Also, if a mobile device is lost, it’s “unenrolled” from AirWatch, preventing further access to the organization’s e-mail system and automatically erasing e-mail data from the device, Starosciak explains.

In addition, the health system requires employees to report a lost device immediately, so carrier service to the device can be stopped. The MDM system then remotely wipes all sensitive data from the device. If a personal device, such as a smart phone used on the job, is lost, the same policy holds.

For mobile devices that are shared among users, such as clinicians on different shifts, users can unenroll from AirWatch after their shift ends so that data is erased from the device before it’s used by someone else.

Among the other organizations that are turning to mobile device management systems is the Department of Veterans Affairs. The VA this month awarded a $4.4 million contract to FirstView Federal Technology Solutions LLC, for an MDM system that will eventually support 100,000 VA-owned and personal devices.

Additional Steps

Beyond adopting encryption and implementation of an MDM system, other steps organizations can take to help prevent breaches involving laptops and other mobile devices, Herold says, are:

• Storing as little protected health information on mobile computers as possible;
• Having well-written policies and supporting procedures for keeping mobile data secure;
• Using GPS or some other type of tracking mechanism to help locate a device if it’s lost or stolen;
• Installing remote wiping software;
• Conducting regular security training and ongoing awareness communications;
• Performing spot audits of laptops to make sure they are up-to-date with software patches and anti-viral software;
• Updating a complete inventory of all laptops and other mobile devices.

Mac McMillan Speaking at Hawaii-Alaska Chapter of HIMSS

Hawaii-Alaska Chapter of HIMSS Brownbag

October 9, 2012 @ 11:30

HMSA Building Multi-Purpose Room (MPR)

OCR Random Audits: A Look Inside

Presenter: Mac McMillian, HIMSS Privacy and Security Policy Task Force

This presentation will allow attendees the opportunity to discuss the OCR Random audit process, learn ways to assess their program and prepare for an audit.

Ø  During this session participants will:

Ø  Discuss what the audit process looks like and what to expect

Ø  Understand how to prepare your facility/department for the audit process

Ø  Understand how to review your program to understand weaknesses

Ø  Participants will review lessons learned from early audits

Ø  Heightened Enforcement and the Omnibus Rule

Ø  Where enforcement is at today and the signal HHS is sending

Mac McMillian serves as the National Chair for HIMSS Privacy and Security Policy Task Force.  The newly-formed HIMSS Privacy and Security Policy Task Force was established to bring together a group of industry thought leaders to support HIMSS’s formal response to new legislation, regulation, as well as to develop HIMSS policy position papers and tools that relate to healthcare privacy and security. One of the goals of the Task Force is to collaborate with fellow professional organizations like HFMA, MGMA, AHIMA, HCCA, etc. to formulate a broader industry response, when appropriate, as well.

___________________________________________________________

 

This is the fourth Brown-bag luncheon with this year’s theme of

“Bringing Healthcare Information Technology to the Consumer”:

–          July – Hawaii Health Connector (insurance exchange), presented by Coral Andrews, the Connector’s executive director

–         August – Update on HIMSS Advocacy, presented by Lee Castonguay, with Colin Underwood from Alaska

–         September  – Can Smart Cards help the consumer get more engaged in healthcare?, Presented by David King-Hurley of LifeNexus

o           UPCOMING – October 9  – OCR Random Audits: A Look Inside, presented by Mac McMillian, HIMSS Privacy and Security Policy Task Force

•                  Using Technology to Keep Seniors at Home

•                  Personal Health Records in the Cloud

•                  HIE for Everyone

•                  Privacy and Identity is a requirement

•                  MU 2 and 3, impacts on the consumer

•                  HIT Day for Public Policy

•                  Analytics and You

•                  Use of Games in Health Care

Van Zimmerman Presenting, North Central Regional Conference

North Central Regional Conference

October 5th, 2012

Indianapolis, IN

 

http://www.hcca-info.org/Events/EventInfo/sessionaltcd/003_AREA1512.aspx

 

 OCR Random Audits: A Look Inside 

Presenter: Van Zimmerman,  Principal, Privacy & Security, CynergisTek

This presentation will allow attendees the opportunity to discuss the OCR Random audit process, learn ways to assess their program and prepare for an audit.. 

During this session participants will: 

• Discuss what the audit process looks like and what to expect 

• Understand how to prepare your facility/department for the audit process 

• Understand how to review your program to understand weaknesses 

• Participants will review lessons learned from early audits

Mac McMillan, CEO of CynergisTek, Interviews with iHealthBeat

Monday, September 24, 2012

Guarding the Portal: Data Security Needs Rise With Patient Access

by John Moore, iHealthBeat Contributing Reporter

Health care providers, already grappling with information security, could see their responsibilities expand as demand grows for patient data access.

Federal policies require physicians and hospitals to make health care data available to patients. And with the increasing use of electronic health records, that handoff increasingly will take place online. A certain degree of electronic access already is required under Stage 1 of the federal government’s meaningful use EHR incentive program; that impetus will expand under Stage 2.

Industry executives expect that much of the patient data dissemination will take place through Web-based portals. For many health care providers, this will represent new ground. Hospital and medical practice websites traditionally have been informational, rather than access-oriented. Providers, accordingly, will need to step up their information security and privacy measures.

Jared Rhoads — senior research specialist at the CSC Global Institute for Emerging Healthcare Practices — said some health care facilities have been providing patient data access and attending to the associated security issues for some time. But those providers represent the exception, not the rule.

“Certainly, the vast majority of people have not plunged into [patient data access], so it is new for them,” he said. “Now, with all the new meaningful use measures, that is absolutely going to blow this wide open and make this something that everyone is going to be concerned about.”

A Call for Access

In August, CMS published the final rule governing Stage 2 of the meaningful use program, which goes into effect in 2014. Stage 1 criteria call for physicians and hospitals to provide patients an “electronic copy of their health information.” Stage 2 changes that language. Physicians must provide patients with the means to “view online, download and transmit their health information.” Hospitals must offer the same service to patients regarding hospital admissions.

The government’s escalating demand for patients’ access to health data can be seen in other policy statements as well.

HHS’ Office for Civil Rights in May issued a memo underscoring patient’s right to information and encouraging consumers to obtain a copy of their health record — whether paper or electronic. That message reiterates language in the HITECH Act of 2009, which gives patients the right to request health data in an electronic format if the provider is equipped with an EHR.

The access directives appear to be pushing health care providers toward portals as the mechanism for allowing patients to view and download their health data.

Mac McMillan — CEO of CynergisTek, a health care IT security firm — said a number of health systems already have established patient portals, pivoting off their EHR systems.

“I think patients are going to embrace the ability to go online and set up their appointments and get their meds and check their test results and communicate with their doctors,” he said.

But the portal push comes with a privacy and security burden.

“A patient portal, by its nature, has to accept a connection from the public on the open Internet and that brings you into the realm of Web security,” Sadik Al-Abdulla, senior manager with CDW’s security practice, said, adding, “It is the exact same threat landscape that major retailers face, that government agencies face.”

Securing the Portal

McMillan suggested three core elements for portal security.

• User Authentication — “If you are going to provide good access control, there has to be a way on the portal for patients to authorize uniquely to the portal, such that they are only looking at their own information and not somebody else’s,” McMillan explained.
• Secure Transport — A portal that allows users to download information must provide a secure, encrypted connection between patient and portal. This is often accomplished through a virtual private network (VPN) or a gateway that’s part of the provider’s network.
• Auditing and Integrity Control — Providers need to be able to audit what a user has done with the information obtained through a portal — what they have looked at and what they have changed. If a patient is able to enter or alter his or her health data, integrity control provides a way to verify the information. The EHR linked to the portal retains a patient’s previous data so they can be compared with the new data. If a patient with a penicillin allergy inadvertently changes the health record to indicate no such allergy, the system can flag the problem.

“Integrity is one of the biggest issues when you start allowing greater access to the information,” McMillan said. “You need to have a way to absolutely verify changes so they don’t create health issues.”

Rhoads, meanwhile, cited network scanning and monitoring as a key portal security measure. The idea is to scan for suspicious activity, such as a series of unsuccessful logins at an odd hour from an IP address outside of the country.

Privacy, Security and Responsibility

Some health care facilities — academic medical centers, for example — might develop their own portals and must assume responsibility for building in privacy and security controls. But many health care providers will turn to vendors for help in deploying portals. EHR vendors often include portal technology as part of their systems.

For a health care provider invested in an EHR system, “it becomes a pretty natural add-on to stick with the same vendor for the portal part,” Rhoads said.

Third-party health care portal vendors also are an option. In both cases, product vendors should provide the fundamentals of security — authentication, auditing and integrity checking — within their portal products.

“The portal should have all of those features encoded in the system itself,” McMillan said.

The secure transport component may be part of the portal or provided separately, via VPN, for example.

Physician practices in northern New York are beginning to deploy portals through their EHR systems.

Corey Zeigler — health IT program manager at the Fort Drum Regional Health Planning Organization — said the portal use is part of a project to get practices in a three-county area up to speed on EHRs and connected to a regional health information exchange. He said about 95% of the primary care providers in the area are participating.

Security, Zeigler noted, is baked into the vendor-provided portals, including website encryption.

Health care providers aren’t entirely off the security hook when they purchase a vendor’s product, however. Al-Abdulla commended EHR vendors for bundling security, but that posture only holds for the initial deployment. Hospitals should conduct periodic security assessments and architecture reviews, since the threat landscape and attack vectors constantly change, he said.

Patients have responsibilities as well. The general consensus among industry executives is that the hospital and its business partners are responsible for adequate user authentication, secure data storage and secure data transmission. However, once the data arrive on the patient’s computing device, the security job shifts to the user.

“It’s the patients’ responsibility to make sure they don’t upload it to a blog or broadcast it to the world,” Rhoads said.

Read more: http://www.ihealthbeat.org/features/2012/guarding-the-portal-data-security-needs-rise-with-growing-patient-access.aspx#ixzz27VgXgrAX

CynergisTek CEO to Speak at Five Educational Events in September

Industry Thought Leader, Mac McMillan, to Discuss Best Practices for Privacy and Security in the Era of Stage 2 Meaningful Use and OCR Audits

Austin, Texas, September 14, 2012— CynergisTek™, an authority in enterprise security and privacy solutions and services for healthcare organizations, today announced that its CEO and Chair of the Healthcare Information and Management Systems Society (HIMSS) Privacy and Security Policy Task Force, Mac McMillan, will speak at five education sessions this month:

• NCHICA “OCR Audit Readiness: Advice from Those in the Know.” Monday, September 10, 2012 at 11:30 a.m. EST

• AHIA Tech Talk Roundtable call. Monday, September 10, 2012 at 3:30 p.m. EST
• Iowa HIMSS, “OCR Audit Process: A Detailed Look Inside, Mac McMillian, HIMSS Privacy and Security Policy Task Force.” Wednesday, September 12, 2012 at 2:30 p.m. CST

• CHCA Corporate Compliance Forum, Friday, September 14, 2012 at 8:00 a.m. CST
• AHiMA Privacy and Security Institute, “OCR Audits: Lessons Learned,” (presentation with David

Mayer, OCR Senior Advisor) Saturday, September 29, 2012 at 11:00 a.m. CST

McMillan will provide attendees with a foundational understanding of the most significant IT security challenges currently facing healthcare today, including the implications of Meaningful Use and other regulatory initiatives. In addition to his general update on current industry trends, McMillan will also share lessons learned from CynergisTek’s experiences providing consultative services to multiple entities chosen to undergo the pilot phase of OCR’s HIPAA Audit program.

“The latest regulatory shifts towards a more stringent set of healthcare IT security standards have increased the pressure on organizations to get their security house in order. Simultaneously, recent hacker activities, like the extortion incident in Illinois, have demonstrated that the stakes are much higher than simple regulatory compliance,” said McMillan. “Both these trends have driven very strong demand for our expertise and unique perspective, and I am looking forward to sharing some of those firsthand lessons and best practices around preparing for new threats and regulations at these upcoming events.”

CynergisTek’s solutions and services are specifically designed to help healthcare organizations improve their security posture, facilitate compliance, advance operational efficiency and foster trust. CynergisTek’s managed and on-demand solutions address the fundamental elements of information security management, including:

• Strategy and Governance
• Compliance and Risk
• Infrastructure
• Technical Vulnerability Management
• Audit Readiness
• Managed Security Solutions

About CynergisTek

CynergisTek is an authority in healthcare information security and privacy management, regulatory compliance, IT audit and advisory services, business continuity management, security technology selection and implementation, and secure IT infrastructure architecture and design solutions. The firm offers practical, manageable and affordable consulting services for organizations of all sizes and complexity. Using an organized, planned and collaborative approach, CynergisTek applies multidisciplinary expertise to serve as partner and mentor, to enhance the consulting experience and, ultimately, clients’ compliance and business performance. CynergisTek participates in and contributes to HIMSS, AHIMA, HFMA, HCCA, AHIA and other industry bellwether organizations.